All Game-tuts VIP Stuff

Discussion in 'Xbox 360' started by Anubis, Aug 17, 2009 with 142 replies and 38,973 views.

Thread Status:
Not open for further replies.
  1. Anubis

    Anubis Information Technician - PCMasterRace

    Well i decided to be a **** tonight before i went to bed so i decided to leek apparently all the "Game-Tuts Exclusive" things from there VIP. Enjoy. Also, i didnt check to see if its already on the this site so if it is sorry, im going by the title at there site having "VIP Exclusive" in it.

    VIP Games Saves Site
    Right i have created a simple site to host VIP ONLY saves.

    here are the details to login.

    Please upload Saves in .zip or .rar and include a readme saying what gamerscore is unlocked and the creator. And name the file like "Fallout 3 1000g save set.rar"

    NEW RULE: When a save/Program ect is added Post what category it needs to go in

    Site = Game Tuts VIP ONLY Saves Site! ::
    User = game-tuts
    Pass = gametuts-vip


    Category View
    . VIP Applications
    .. -Apps Made By YOU! (Just got summit to show off or wanna share ur apps u made put here :biggrin:)
    . VIP Gamesaves
    .. -Arcade Games
    .. -Retail Games

    Tutorial: GH3 Autoplay
    Hey guys, this is tutorial on how to obtain autoplay for Guitar Hero 3 for the Xbox 360. It's really not that hard, so let's see how this goes.

    I posted this on another forum btw, in case you see it somewhere.

    First off, I would like to say, this would be a lot easier in a video, but for now I will just make a text tutorial.

    Secondly, before I start to go through the tutorial process, here's an example of what autoplay can do:

    [ame=]YouTube - GH3 - Through The Fire and Flames 100% FC - X360 **With Hands** - Read info[/ame]

    Subscribe to me! Anyways, on with the tutorial process:

    Things you will need:

    - Flashed Xbox 360
    -GH3 ISO (Doesn't matter where you get it, as long as you have one)
    -Queen BEE
    -DL DVD

    You can download those programs here:

    MEGAUPLOAD - The leading online storage and file delivery service

    Now on with the tutorial:

    1. First open up WX360

    2. Locate your GH3 ISO

    3. Go through the iso in WX360 like this: DATA/COMPRESSED/PAK

    4. Find these three files, you can quickly find them by pressing the letter of which they begin:


    Right click them and extract them to your desktop.

    5. Now open up queen bee and set the format to xbox (xen)

    6. Now in Queen Bee, click on the qb.pak file and locate the qb.pak file, it should autoload the rest of the files:

    7. Load the files and go to QB File Search

    8. Type in "bot" with out the quotes.

    9. Now there should be multiple files starting with "bot"


    Simply click on that and change the value from 0 to 1.

    Change the bot_controller to 1 also so you can control the menu with your guitar.

    I have never done any other files except the top bot_play and top bot_controller because I have no idea what the others do. If you want to try it, go ahead.


    Step 10: Simply go back into wx360 and replace the dbg.pak.xen, the qb.pak.xen, and the qb.pab.xen accordingly and you should be finsihed.

    Step 11: Burn and play, have fun and don't abuse this online please.

    Tutorial by Zorravin

    Message KEVdog360 on Xbox live if you have any problems.

    Oh yeah, if you want me to add any pictures, just ask, I didn't have time to upload them when making this.

    VIP Free Premium Themes Tutorial
    Free Premium Themes Thread![/color][/u][/b]

    • ** Share and download premium themes!
      ** Exclusively for GameTuts VIPs!
      ** Easy to follow tutorial to!
      ** Tutorial Author: Aer


    • ** XSata, XPort, or 360 Transfer Kit to access your Xbox 360 HDD or Memory Card
      ** Xplorer360 to put the gamerpic CON files onto your Xbox 360 HDD or Memory Card

    How to Use

    • (1) Download and unrar the premium themes you want and make sure not to change their filename.

      (2) Open up your Xbox 360 hard drive or memory card in Xplorer 360 and make the correct GameID folder and subfolder for the theme you are putting onto your hdd/memory card (see screenshot below).

      (3) Inject the premium theme into that created GameID folder and subfolder.

      (4) Turn on your Xbox 360 and select your new Premium Theme from the list!


    GameID Folder and Subfolder For Attached Themes:

    • Winter Holiday 2008 Premium Theme
      GameID Folder: FFFE07C3
      Subfolder: 00030000
      View: [ame=]YouTube - Xbox 360 Premium Holiday Theme[/ame]
      Notes: This theme was released to at least North America back right after NXE launched. All regions didn't get it so that's why I included it.

      OXM Lost Planet 2 Premium Theme
      GameID Folder: 494D8841
      Subfolder: 00030000
      View: [ame=]YouTube - OXM: Lost Planet (Premium Theme)[/ame]
      Notes: This premium theme came free with the U.S. OXM 96 disc I got two issues ago. It's not that great but it is a premium theme, not a standard one!

      Kerrang Premium Theme
      GameID Folder: 5858080A
      Subfolder: 00030000
      View: [ame=]YouTube - Kerrang Xtival Premium Theme[/ame]
      Notes: This premium theme came with an issue of Kerrang magazine that contained a download code to get it. Thanks to zentaki for sending it to me!

      Xtival 09 Premium Theme
      GameID Folder: 5858080A
      Subfolder: 00030000
      View: [ame=]YouTube - Xtival '09 Premium Theme[/ame]
      Notes: This premium theme was given out for free to the UK gamers a few weeks ago I believe. Since I am in The US, zentaki also sent this one to me. Thanks!


    • ** All themes go in a 00030000 subfolder just like all gamerpic files go in a 00020000 subfolder. Also, these GameID folders with their subfolders must be placed in your profile partition on your Xbox 360 HDD or Memory Card, which is the partition with all 0's as you can see in the Xplorer360 screenshot of my memory card.

      ** There is a 1 vs. 100 premium theme is on Canadian marketplace if anyone could download and post to this thread!

      ** Premium themes that you pay for cannot be shared at this time as they are a signed Live container file I believe. I have heard of a Live container resigner out there and if anyone has it or can get paid-for premium themes to work for others another way let me know and we can post those, too!

      ** Any other free premium themes out there, please post to this thread! No regular themes though, please, unless they're requested by someone!

    [Release]HCM-Team Tag Informer Ver 1.0
    ell it was simply because i got nothing to do today :tongue:

    Picture : [​IMG]

    It can : Get GamerCard + Avatar
    Save the Avatar and Card on PC
    Store the research that you made previously on your computer for faster Inform Session.
    No need to click Inform Me if you are ... um :tongue: Just Hit Enter !

    It can't : Get Password of GamerTag
    Hack Accounts

    To be in the 2.0 : Save GamerPicture
    Get FriendList
    Detailed Achievements

    This is the first release of HCM-Team, i still working on the Global Mod Tool for newbies.

    Download Link : MEGAUPLOAD - The leading online storage and file delivery service
    PS : (I Obfuscated it but i'm thinking of release the source code of the version 2.0)

    Thank you and post what you think of it or what it could be done to it(Design,Functions)

    [Release] Avatar Loader v2.0
    Download from gamesaves site.[/color]
    Game Tuts VIP ONLY Saves Site! :: • Login

    All information on how to run and use the program is in the .txt files.
    Enjoy the program, this is the last release of the Avatar Loader!

    Note: Avio is in early states of development, is you would like any information on the program or want to help message me! If you would like to become a Beta tester for the program then check out the "About" section on Avatar Loader.

    Community Project
    Saturday, 22nd August 2009
    Version: (1.0 BETA)

    Download: Project.rar


    Release notes: This is the first beta and I’m not expecting it to be perfect and you will/may experience a few issues so make sure you use the contact us feature located in the menus!
    This version will be getting updated with the automatic updates feature recently added
    Here is a full change log since the preview released last week

    Contact us *Added*
    Categories (Submitted) *Added*
    File a Complaint *Added*
    Updates *Added*
    Submit *Added*
    Debug *Added*
    Moderator & Admin communications *Added*
    XBL Friend Spammer *Added*
    About (Community Project) *Updated*
    UI *Updated*

    Levels of Permission

    The community project now tells you who submitted what by “Levels of permission”

    Red: Submitted or being moderated by the administrator

    Green: Submitted or being moderated by the moderator

    Pink: Submitted and being moderated by the user that submitted the application

    You will notice as these are referred as backdrops and are only available if you choose to integrate your application with the community project.

    Submitting an application
    When submitting an application it’s important to read all the information before continuing you will be granted 15 seconds to read through all the information before proceeding. Integrating your application is optional.

    Download: Project.rar

    More information coming soon.
    P.S The new version has been protected.

    VIP GPI 2.0
    GPI 2.0.rar

    Gamerpic Injector 2.0 (GPI 2.0)

    • - New 2.0 version exclusively for GameTuts VIPs!
      - GPI 2.0 auto-resigns the CON files it makes containing your pictures!
      - GPI 2.0 has fast real-time searches and a log field, too!
      - Application Author: dschu012
      - Tutorial Author: Aer


    • - XSata, XPort, or 360 Transfer Kit to access your Xbox 360 HDD or Memory Card
      - Xplorer360 to put the gamerpic CON files onto your Xbox 360 HDD or Memory Card

    How to Use

    (1) When you first load GPI 2.0, click on File -> Update Games -> All Games.


    (2) This will create a gamelist to search for gamerpics from.


    (3) Select a game from the list to search for gamerpics and click Search.

    (4) Click the pictures you want to have and they will show up on the right side of the screen (Maximum 30).

    (5) Click Export To Con to have those pictures put into a CON file and resigned. You can save the CON file as any filename you wish.


    (6) Move the CON file(s) with the pictures you got onto your Xbox 360's Hard Drive or Memory Card:

    Using Xplorer360:

    Hard Drive: Partition 3/Content/0000000000000000/FFFE07D1/00020000

    Memory Card: Partition 1/Content/0000000000000000/FFFE07D1/00020000

    Note: The GPI CON files with your pics can also be placed in any other 00020000 subfolder you may already have for a different ID other than FFFE07D1 if you want. It doesn't matter as long as it's a valid 00020000 subfolder.

    (7) Put Xbox 360 HDD or Memory Card back into your Xbox 360, go to change your gamerpicture, and your new pictures should show up at the bottom of your list.

    Add Other Pictures/Picture Packs

    (1) Find the gamerpic on the internet (such as from the forums) that you want and can't find in the GPI 2.0 gamelist.

    (2) Right click the image and click on View Image or Properties

    (3) In the URL to that image you should find something like:

    (4) The 8 digits after the "/global/t." are the GameID of that picture and in this case that's "444d07d1".

    (5) In GPI 2.0 go to File -> Add Game and put 44407d1 in the Title ID field and type something in for Game Name or leave that field blank and leave the Box Art URL field blank.

    (6) Click Ok and GPI 2.0 will auto-select that as the current GameID so click Search to find the pic you're looking for.

    Note: Some gamerpics you find will be linked from a different URL which does not contain the 8-digit GameID. In these cases, you will have to find that gamerpic somewhere else on the web. Every gamerpic is linked from two different URLs and often even multiple GameIDs, too!

    Advanced Features of GPI 2.0

    - Themes (File -> Settings -> Theme)
    GPI 2.0 has many colored themes for you to choose from for the application's interface.

    - Search Depth (File -> Settings -> Search Depth)
    GPI 2.0 allows you to set the search depth from 1 to 999. Higher search depths can yield more gamerpics such as those unlocked with achievments from certain games.

    - Save Name (File -> Settings -> Save Name)
    GPI 2.0 allows you to customize the name that shows up on your Xbox 360's list of gamerpic packs. The old version of GPI would have the Xbox 360 showing GPI picture packs named "Gamerpic Injector" but now you can customize that!

    Useful Tools To Find Other Gamerpics

    I have come across many websites that I have used to find many GameID's that aren't found by GPI when it gathers updated game lists.

    360voice Leaderboard: Gamer tiles

    This is the best website ever since MyGamerCard's "Gamerpic Scout" went offline last November. Here you can find just about every gamerpic and they all contain the GameID if you right click them and click View Image or Properties. This is really useful for the latest OXM magazine pictures as well as others like Famitsu Xbox 360, etc.

    site: - Google Images

    Use this Google link I provide to just randomly browse gamerpics and right-click on any you like and go to View Image or Properties to find the GameID.

    Need More Help?

    If you need any help finding pictures or just need general help with the GPI 2.0 application, reply to this thread/post and myself (Aer) or dschu012 can help. He's the one who coded the program and I am the one who has mastered it's use, found hidden/unreleased gamerpics with it, and encouraged him to release it as a GameTuts VIP-exclusive.

    Xbox 360 Tool Marketplace 1
    After a week of adding new features, and sorting the crap out of downloads and what not, Xbox 360 Tool Marketplace 1.0 is ready to roll. The program includes the following:

    - 4 New Tools Displayed ( " Spot Light Tools " )
    - Currently can hold up too 9 tools in the all tools tab. If the program gets more popular I will add more.
    - Voice greeting and voice help message. ( Courtesy of Microsoft Mike And Some Random Chick )
    - Server Status
    - The ability to share the program's via a download link ( Currently only spot light tools )
    - All Tools Slot Status
    - A rough sketch for game saves. I am working on a better looking game save table .
    - A Submit tool tab
    - A sexy about tab
    - A support tab for people who want to help with server costs, my simply clicking an ad on my site to earn revenue.
    I did not secure this program's code, because it is actually very, very simple indeed. It just takes a good server and a lot of patience if you want to manipulate this.


    Download Instructions:

    Leave comments, bugs, or suggestions for the next version here.

    Unlock total control over your xbox 360
    Hey guys, found this while I was checking out some other forums. Thought it could be helpful. This is not my tutorial, it's actually Tmbinc's. Figured it could be helpful to someone here though :biggrin: Anyways, without further adeu...

    Please note, this only works if you did not update the last dash (If you still can't buy clothes, you're good!)

    1 THE GOAL
    2 --------
    4 There is a new hack which can boot homebrew code in less than 5 seconds. See
    5 at the end of this document for a description how the hack works. For now,
    6 all we need to know is that this is a new way to exploit the well-known 4532
    7 kernel, in a way which also works on updated machines, unless they have been
    8 updated by the summer '09 update. It also works on all hardware types.
    10 This document is a technical description meant for people who want to
    11 undestand the hack. If you don't understand a word, calm down - there
    12 probably will be future releaes, howtos etc.
    14 Please also notice that from a functional side, the result will be the same
    15 as the KK-hack; it's just much faster, works on more hardware and is more
    16 reliable. So it replaces the KK-hack, not less and not more.
    18 HOWTO
    19 -----
    21 First, determine your kernel version. This hack has been verified to work
    22 until the 849x-update (summer 09).
    24 Determine your hardware type, which is either a Xenon (no HDMI), Zephyr
    25 (HDMI, but 90nmCPU/80nm GPU), Falcon/Opus (60nm CPU) or Jasper (new
    26 Southbridge, 60nm GPU, 60nm CPU).
    28 You need some files, which are not part of this package. We are still
    29 working on proper, legal ways to obtain these files, for example by
    30 obtaining them from files you already have (like a NAND backup).
    32 You need:
    34 - A suitable "CB/CD pack". This is a part of the bootloader, and you need a
    35 specific version for your hardware type:
    37 Xenon: 1921
    38 Zephyr: 4558
    39 Falcon: 5770
    40 Jasper: 6712
    42 (Especially on Xenon, you might be able to use an older version, too. But
    43 the newest one will work in any case.)
    45 - A hacked SMC code, *for your hardware type*.
    46 - Either a Microcontroller doing the JTAG stuff, or a hacked SMC with JTAG
    47 code.
    48 - The 4532 kernel update, extracted (you need the xboxupd.bin)
    49 - A binutils cross toolchain to target the ppc64 arch
    50 - A compiled payload, like XeLL
    52 - A possibility to reprogram the NAND flash. You can use an external
    53 programmer, a SPI programmer (which will be released soon), or some
    54 dedicated hardware.
    57 Building a suitable image
    58 -------------------------
    61 In order to produce an image suitable for the attack, let's reconsider what
    62 we need:
    64 - A patches SMC firmware, which starts the CMD 07 "READ SECTOR(S) DMA" at
    65 the right time. Note that you need to use the right SMC based on your
    66 machine type. Yes, they are all different. Running a pre-jasper code on a
    67 jasper-southbridge is particulary difficult to recover from. Be warned.
    68 - A microcontroller firmware which does the JTAG thing, implemented as a
    69 SMC patch.
    70 - A 2BL/4BL combination suitable for your machine type, with version 1920
    71 or up.
    72 - The 5BL (1888 base kernel), which is always the same binary.
    73 - The 4532 (or 4548) patch, extracted from the 4532/4548 system update.
    74 - An SMC config block, which stores some boring SMC-related data.
    75 - Our exploit buffer, which is DMA'ed into the kernel/HV
    76 - The code we want to run (XeLL, for example)
    78 The can build a flashrom image if you give it the right
    79 items.
    81 example:
    83 python image_backup.bin input/C{B,D}.1920 input/4532_upd.bin \
    84 input/xell-backup.bin input/xell-1c.bin input/smc_hacked.bin
    86 where
    87 - image_backup.bin is your original nand content,
    88 - C{B,D}.1920 are a suitable 2BL/4BL, in decrypted form
    89 - 4532_upd.bin is the xboxupd.bin from the 4532 update,
    90 - xell-1c.bin and xell-backup.bin are XeLLs linked to 0x01c00000
    91 - smc_hacked.bin is the SMC with the hacked read rtc handler (and possibly
    92 also the jtag stuff)
    94 Multiple parts of the image will be generated in the output-directory. You
    95 need to flash them all, at the proper positions.
    97 Flash this images into the 360 NAND flash. Needless to say, MAKE AN UPDATE
    98 FIRST! Also, remove R6T3! There is code out which can burn fuses, and
    99 potentially render boxes unusable. By removing R6T3, this won't be an issue
    100 anymore. Add the 3 resistors if you want to use the SMC-based JTAG hack.
    102 Connect a VGA cable, and power on the box. If you're greeted with a blue
    103 XeLL screen, then congratulations, everything is fine! Have fun!
    105 SMC GPIOs
    106 ---------
    108 So we need some hardware which uses JTAG to set the DMA target address soon
    109 in the bootup sequence, as long as JTAG still works. We started using an
    110 external microcontroller, but we already HAVE an on-board microcontroller -
    111 the SMC! There are some leftover GPIO ports, which are - at least on
    112 Xenon-boards - easily accessible on the left. They operate at 3.3V, so we
    113 need some resistors to handle the 1.8V logic level of the GPU.
    115 Zephyr and up don't have so many GPIOs available anymore, but don't
    116 worry, we found a solution there, too.
    118 In case you are using the hacked SMC with the GPIO, please use 330 Ohm
    119 resistors to connect
    121 J1F1.3 --- [330R] --- J2D2.1
    122 J1F1.4 --- [330R] --- J2D2.2
    123 J1F1.5 --- [330R] --- J2D2.4
    126 How does this all work?
    127 -----------------------
    129 To understand this new hack, let's first look at what made the KK exploit
    130 possible: A fatal bug in the Hypervisor's Syscall Handler, introduced in the
    131 4532 kernel update. For more details, take a look at
    132 SecurityFocus which explains
    133 the problem in great detail.
    135 The KK exploit exploited the kernel bug by modifying an unsigned shader to
    136 do a series of so-called memory exports, an operation where the GPU can
    137 write the results of a pixel or vertex shader into physical memory. The
    138 shader was written to overwrite the Idle-thread context to make the kernel
    139 jump at a certain position in memory, with some registers under our control.
    140 In order to control all registers, a second step was necessary, this time by
    141 jumping into the interrupt restore handler. This finally allows all
    142 CPU general purpose registers to be filled with determined values. The
    143 program counter could be restored to a syscall instruction in the kernel,
    144 with register values prefilled so that they would trigger the exploit.
    146 The exploit basically allows jumping into any 32-bit address in hypervisor space.
    147 To jump into an arbitrary location, we just used a "mtctr, bctr"-register
    148 pair in hypervisor, which would redirect execution flow into any 64-bit
    149 address. This is important, since we need to clear the upper 32bit (i.e.,
    150 set the MSB to disable the HRMO), since the code we want to jump to is in
    151 unencrypted memory.
    153 This code would usually load a second-stage loader, for example XeLL, into
    154 memory, and start it. XeLL would then attempt to catch all cpu threads
    155 (because just the primary thread is affected by our exploit), and load the
    156 user code, for example from DVD.
    158 So, the following memory areas are involved:
    160 - Idle Thread context, at 00130360 in physical memory
    162 This stores the stack pointer (and some other stuff) when the idle thread
    163 was suspended. By changing the stack pointer, and then waiting for the
    164 kernel to switch to the idle thread, the stack pointer can be brought into
    165 our control. Part of the context switch is also a context restore, based on
    166 the new stack pointer.
    168 - Context restore, part 1, arbitrary location, KK expl. uses 80130AF0
    170 The thread-context restore doesn't restore all registers, but let's us
    171 control the NIP (the "next instruction" pointer). We setup NIP to point to
    172 the interrupt context restore, which does a SP-relative load of most
    173 registers.
    175 - Context restore, part 2, same base location as part 1
    177 We just re-use the same stack pointer, because the areas where the first
    178 context restore and the interrupt context restore load from do not overlap.
    179 The second context restore allows us to pre-set all registers with arbitrary
    180 64 bit values.
    182 - The HV offset, at 00002080 for syscall 0x46 on 4532
    184 Because of the HV bug, we can write this offset into unencrypted memory,
    185 giving us the possibility to jump into any location in the hypervisor space
    186 (i.e. with a certain "encryption prefix"). We usually write 00000350 here,
    187 which points to a "mtctr %r4; bctr" instruction pair in hypervisor, which
    188 lets us jump to %r4.
    190 - Our loader code, at an arbitrary location
    192 This code will be executed from hypervisor. It's the first of our code which
    193 will be executed. %r4 on the syscall entry has to point to this code.
    195 Only the idle thread context and the HV offset have fixed addresses.
    196 It's easily possible to merge this so that only two distinct blocks needs to
    197 be written into memory, but it's not possible to merge this into a single
    198 block.
    200 Fortunately, the NAND controller allows doing DMA reads where the payload
    201 data is split from the "ECC"-data. Each page has 512 bytes of payload, and
    202 16 bytes of ECC data. Thus, a single DMA read can be used to load all
    203 required memory addresses. We chose the Payload to read the Idle Thread
    204 Context, the Context Restores and the loader code. The ECC data will carry
    205 the HV offset.
    208 To do a DMA read, the following NAND registers need to be written:
    210 ea00c01c Address for Payload
    211 ea00c020 Adresss for ECC
    212 ea00c00c address inside NAND
    213 ea00c008 command: read DMA (07)
    215 The System Management Controller (SMC) is a 8051 core inside the
    216 Southbridge. It manages the power sequencing, and is always active when the
    217 Xbox 360 has (standby or full) power applied. It controls the frontpanel
    218 buttons, has a Realtime clock, decodes IR, controls temperatures and fans
    219 and the DVDROM tray. It talks with the frontpanel board to set the LEDs.
    220 When the system is running, the kernel can communicate with the SMC, for
    221 example to query the realtime clock, open the dvd-tray etc. This happens
    222 over a bidirectional FIFO (at ea001080 / ea001090). See the XeLL SMC code
    223 for details.
    225 The SMC can read the NAND, because it requires access to a special NAND page
    226 which contains a SMC config block. This block contains calibration
    227 information for the thermal diodes, and the thermal targets etc. The 8051
    228 core has access to NAND registers, which are mapped into the 8051 SFRs. It
    229 uses the same protocol as the kernel uses, so it writes an address, does a
    230 "READ" command, and then reads the data out of the "DATA" registers.
    232 It could also do a "READ (DMA)"-command. So by hacking the SMC, we could
    233 make the box do the exploit, without any shader - the SMC can access the NAND
    234 controller all the time, even when the kernel is running (though it will
    235 likely interfere with the kernel). So, we just trigger the DMA read
    236 when the kernel has been loaded, and everything is fine.
    238 Right?
    240 Well, that would be too easy. While most NAND registers are mapped, the DMA
    241 address registers (1c, 20) are not. We can DMA, but only to the default
    242 address of zero (or wherever the kernel last DMAed into). Fail.
    245 The GPU, the (H)ANA (the "scaler" - which in fact doesn't scale at all, it's
    246 "just" a set of DACs, and, since Zephyr, a DVI/HDMI encoder), the
    247 Southbridge and the CPU have their JTAG ports exposed on the board. They are
    248 unpopulated headers, but the signals are there. CPU JTAG is a different
    249 (complex) story, and SB JTAG doesn't offset much funcationality. ANA JTAG is
    250 boring since the ANA doesn't sit on any interesting bus. That leaves GPU
    251 JTAG.
    253 GPU JTAG was reverse-engineered until a point where arbitrary PCI writes are
    254 possible, up to a certain point. So that makes it possible to talk to each
    255 PCI device in the system, including the NAND controller. So we can simply
    256 use THAT instead of the SMC to start the DMA?
    258 Right?
    260 Well, not quite. The problem is that the "VM code", the code which does a
    261 lot of system initialization, like the memory (that code is also responsible
    262 for generating the 01xx "RROD"-Errors), sets a certain bit in some GPU
    263 register, which disables the JTAG interface. The VM code is executed way
    264 before the kernel is active. So this is fail, too.
    266 But the combination works - by programming the DMA target address via JTAG,
    267 and launching the attack via SMC. The attack can be launched as soon as the
    268 kernel is running, and quite early, it does query the SMC for the RTC. We
    269 abuse this call to start the attack instead, which is a perfect point for
    270 us.
    272 But how do we run an exploitable kernel at all? Most machines are updated
    273 already. Let me refresh your knowledge about the boot process again:
    275 1BL (Bootrom)
    277 Buried deep inside the CPU die, this ~32kb of ROM code is responsible for
    278 reading the 2BL from NAND-flash and decrypts it into the embedded SRAM in the
    279 CPU. It verifies the hash of the decrypted image with a signed block at the
    280 beginning of the 2BL, and will stop execution if this hash mismatches. This
    281 code also contains a number of test functions, which can be activated by
    282 pulling the 5 "POST IN"-pins, which are available on the backside of the
    283 PCB. None of these tests looks particulary interesting (from an exploitation
    284 perspective) - they mostly seem to be related to the FSB (the bus between
    285 CPU and GPU). This code is fixed, and all systems use identical code here.
    287 2BL ("CB")
    289 This code is usually located at 0x8000 in NAND flash. It's decrypted by 1BL,
    290 and runs from internal SRAM.
    292 It does a basic hardware initialization, and contains the "fuse check code",
    293 which verifies the "2BL version". The fuses store the expected version.
    294 The 2BL stores a "Version" and a "AllowedMask" (=bitfield), and
    295 this is usually stored at address 0x3B1 / 0x3B2..0x3B3.
    297 Xenon Zephyr Falcon Jasper
    298 2 0003 1888, 1901, 1902
    299 4 1920 "new zeropair code"
    300 5 0010 1921 4558 5760,5761,5770 6712 TA-fixed
    302 It then verifies the pairing information stored in the 2BL header. Part of
    303 this verification is a checksum check of the NAND area which was used to
    304 load the SMC code from.
    306 It also contains a virtual machine and some
    307 code to run on this machine. The virtual machine code, which is pretty
    308 complicated, does the following things:
    309 - Initialisation of the PCI-Bridge
    310 - Disable the GPU PCIE JTAG test port
    311 - initialize the serial port
    312 - talk to the SMC to clear the "handshake"-bit
    313 - initialize memory
    314 - hopefully not: generate RROD if memory init fails
    316 After that, the external (512MB) memory will be initialized and usable. 2BL
    317 then decrypts the 4BL into this memory. Memory encryption will already be
    318 enabled - no executable code is *ever* written unencrypted.
    320 4BL ("CD")
    322 This code is responsible for checking and unpacking 5BL, as well as applying
    323 update patches. First, the fuses are read to determine the console "Update
    324 Sequence", a number which basically counts the number of updates installed.
    325 Since updates are, in the same way as 2BL, paired to a console, this allows
    326 to configure the console in a way that no old update will be used. So each
    327 update slot stores the maximum value of burned fuses (well, essentially the
    328 exact value). The base kernel also has an associated value, usually zero,
    329 but this can be changed in the 2BL pairing data block. This is what the
    330 timing-attack increments, in order to revert to the 1888 kernel.
    332 5BL ("HV/Kernel")
    334 The HV and kernel are merged into a single image, which is compressed with a
    335 proprietary algorithm (LDIC).
    337 6BL ("CF"), 7BL ("CG")
    339 This is part of a system upgrade. Each console has a so-called "Base
    340 Kernel", which is the 1888 kernel which was available on launch back in
    341 2005. Then there are two "update slots" - areas of 64k each (128k on
    342 Jasper), which contain a 6BL and 7BL. 6BL is code which applies the
    343 update, using a clever delta-compression. 7BL is the actual delta-compressed
    344 update, essentially a binary diff.
    346 Oh, updates are >64k. So only the first 64k are actually stored in the
    347 update slots, the rest is stored in the filesystem as a special file. Since
    348 6BL doesn't contain a filesystem parser, a blockmap is added in 6BL which
    349 points to the sectors which contain the rest of the update.
    352 Zero-Pairing
    354 Now there is a special situation: If the 2BL pairing block is all-zero, the
    355 pairing block will not be checked. However, a bit is set so that the kernel
    356 doesn't boot the dashboard binary, but a special binary called
    357 "MfgBootLauncher", where "Mfg" probably stands for "Manufacturing". So this
    358 is a leftover of the production process, where the flash image is used on
    359 all hardware, probably also before any CPU-key has been programmed.
    361 By abusing this feature, this allows us easily to produce a flash image
    362 which runs on all hardware. However, 4BL won't look at update slots when it
    363 detects this mode, so we end up in the 1888 base kernel. And we can't run
    364 the dashboard, so it's impossible to escape this mode.
    366 Previously, this has been deemed very uninteresting, because first the 1888
    367 isn't exploitable by the KK exploit, and second because it's impossible to
    368 run the KK game anyway.
    370 However, starting with 2BL version 1920, an interesting thing happened:
    371 The encryption key for 4BL is generated with the help of the CPU-key now.
    372 That means that without the CPU-key, it's not possible to decrypt the 4BL
    373 anymore. Note that each 2BL has exactly a single valid 4BL binary - 2BL
    374 contains a hardcoded hash for the 4BL, and doesn't use RSA.
    376 However, zero'ed pairing data is detected, the CPU-key is NOT used in this
    377 process, like it was previously. That also means that you cannot just zero-out
    378 the pairing data anymore - the 4BL would be decrypted with the wrong key
    379 then. Instead you need to decrypt the 4BL (which requires knowing the CPU
    380 key), and re-encrypt it with the old algorithm.
    382 However, 1920 was suspectible to the timing attack - so a CPU-key recovery
    383 was possible on one console, which allowed us to decrypt the 1920 4BL. That
    384 4BL shows a very intersting change: Whenever zero-pairing is detected, the
    385 update slots are not ignored anymore. Instead, if the update-slots are
    386 zero-paired as well, they are applied.
    388 This change allows us to boot any kernel, provided we have a (1920 and up)
    389 2BL/4BL set which runs on that machine. This is very important, because we
    390 can build up an image now which runs into the 4532 kernel, regardless on how
    391 many update fuses are set. However, the 2BL revocation process must be
    392 passed, so we are not completely independent of the fuses, still. But since
    393 we use zero-pairing, the SMC hash doesn't matter anymore (there are other
    394 ways to work around the SMC hash problem, like the TA, but we get this for
    395 free). Still, we boot into the MfgBootLauncher (into the 4532 version now,
    396 which does a red/green blinking thingie - you'll notice once you see it,
    397 it's very unique and doesn't look like any RROD or so). But thanks to the
    398 SMC/JTAG hack described above, this allows us to launch our attack from this
    399 state.
    401 Newer consoles (which have the TA fix) don't run 1920 anymore. They run, for
    402 example, 1921. The problem is that we cannot run HV code on these machines,
    403 so we don't know the CPU key. However, when comparing the 1921 and 1920 2BL
    404 (which we can still decrypt), the only change is the addition of the timing
    405 attack fix (i.e. replacing two memcmp instances with a memdiff function).
    406 Also, we know the expected hash value of the decrypted 4BL. Based on a 1920
    407 4BL, and the guess what has changed functionally, and the new size of the
    408 4BL, we were able to guess the modifications, which yields an image which
    409 passes the 2BL hash check. Note that this is not a hash collision - we did
    410 merely derive the exact image by applying the changes between 1920 2BL and 1921
    411 2BL into 1920 4BL, yielding the 1921 4BL.
    413 The 1921 2BL theoretically runs on all machines so far, even TA-proof ones.
    414 But it crashes on Zephyr, Falcon and Jasper. The reason is the VM code,
    415 which doesn't cover the different GPUs (Xenon has 90nm GPU, Zephyr and
    416 Falcon have 80nm, Jasper has 60nm, so there are 3 GPU revisions in total).
    418 But the step from 1921 to, say, 4558, is even smaller. It's just the
    419 different version number, plus a slight difference in the memcpy code, which
    420 again can be ported over from 2BL.
    422 Jasper's 67xx is a different thing, since this code adds support for the
    423 largeblock flash used in "Arcade"-Jasper units. We have used some magic to
    424 retrieve this code.
    426 So we now have ALL 4BL versions. Isn't that great? It means that ALL
    427 machines can run the 4532 kernel. The good news is also that the 4532 kernel
    428 supports falcon consoles, and runs long enough to also work on jasper
    429 consoles (because we exploit way before the different GPU is touched at
    430 all).
    433 Troubleshooting
    434 ---------------
    436 Q: "The power supply goes red when plugging in power!"
    437 A: You shorted a power pin, probably V33_SB, the one attached to the NAND
    438 flash. Carefully look for solder residues. Use a lot of flux and a
    439 properly-heated soldering iron.
    441 Q: "The power supply stays yellow when I press the power button, and nothing
    442 else happens."
    443 A: The SMC code is invalid. This can be a misconnected flashrom, an illegal
    444 image, a bad flash or simply a bad SMC code.
    445 Verify:
    446 - Electrical connections first.
    447 - Did you flash with the proper ECC settings? The flash images we are
    448 working with usually contain raw ECC information, i.e. 512+16 bytes per
    449 sector. Make sure your flash programmer is not modifying these 16
    450 bytes, but writing those as they are.
    451 - Have you used the right SMC image?
    453 Q: "The fans run at full speed immediately."
    454 A: This is very likely a bad SMC config sector. Did you flash all the parts
    455 generated by the image creation tool at the proper position?
    456 Note that offsets are given as payload offsets, not counting ECC bytes.
    457 Usually this matches what your average NAND programmer tells you, but in
    458 case you re-assembled these into a single image, take care to properly
    459 convert the offsets.
    461 Q: "I get E79"
    462 A: This means that, congratulations, your console is still booting into a
    463 kernel, and just cannot go further (which was to be exepcted, given that
    464 there is no filesystem anymore).
    465 You're almost there, but for some reasons, the DMA attack didn't run.
    466 This can be either that you didn't used a patched SMC, or that the target
    467 address wasn't inserted properly.
    469 Q: "Console powers on, but I get a black screen."
    470 A: Well, there are many reasons here again. First, wait some time (~1
    471 minute), and see if you get a RROD. If you do, the VM code failed to
    472 handshake with the SMC (error code XXXX), which usually means that it
    473 crashed, and the SMC watchdog triggered until it retried too often.
    474 Did you use the proper 2BL/4BL image for your machine type? Did you use a
    475 recent enough SMC version? Since the VM code took more and more time
    476 (from roughly a half second in 1888 to several seconds in 1920), the SMC
    477 code was modified to time out later. Be sure to use a known-good SMC
    478 version, if possible, based on the version which was installed before.
    479 If you don't get a RROD, please try checking your POST code. You can do
    480 this via CPU jtag, or by measuring the 8 POST pins.
    482 Post code 6C:
    483 The exploit failed, somehow.
    485 Post code 10:
    486 Our code is running! That's great, but it failed copying the XeLL-payload
    487 from flash. Try booting into the alternate loader (see below in the
    488 "exploit loader" section), or reflash.
    490 Post code 11:
    491 Exploit code ran, and jumped into XeLL. XeLL crashed. Try alternate
    492 loader, or do serial upload for recovery, if you really screwed up both the
    493 primary and secondary loader. (You failed, in that case.)
    495 Post codes >= 0x80:
    496 Those are errors from the bootloader. Please check the disassembly of
    497 those loaders to see what's wrong exactly. It shouldn't happen unless you
    498 have a bad flash.
    500 Post code 0xA0:
    501 Your 2BL didn't want to run on your hardware due to the 2BL revocation
    502 fuses. Use a more recent 2BL/4BL set for your hardware. If you're already
    503 running {1921, 4558, 5770, 6712} then you're out of luck. Your box was
    504 already updated to a newer 2BL, which likely fixed what we used to
    505 exploit. Restore R6T3, restore the flash image, and use this console for
    506 playing games. Get another console, and try again.
    508 Please note that some hardware elements are not properly initialized at the
    509 early time of the exploit. This affects:
    511 CPU:
    512 - The CPU is initialized in low-power mode, where it runs at quarter-speed.
    513 Setting the CPU power mode is possible, of course, but needs to be
    514 reverse-engineered from the corresponding hypervisor syscall.
    516 GPU:
    517 - A full screen setup is required, including the programming of the
    518 ANA-chip. Code is available for setting up a 640x480 VGA mode, support
    519 for other resolutions needs to be added.
    520 - EDRAM must be "trained". This is what fails when the E-74 error is
    521 displayed. The code is rather complex, and has been
    522 reverse-enginnered, but doesn't run properly yet. However, it has been
    523 shown to work a bit, and can likely be tweaked to work properly.
    525 SATA:
    526 - SATA likely needs some reset sequence. Linux kernel does this fine, but
    527 XeLL doesn't work.
    529 All of these issues are expected to be fixed.
    531 This hack can also be used to reboot into a Microsoft kernel, in order to keep the
    532 possibility of playing games locally. This is not within the scope of this
    533 document, and is actually not related to this hack at all. This hack allows
    534 you the execution of software - and YOU decide what software that should be.
    535 It could be linux, your favourite emulator, or a rebooter.
    537 Note that we do not support patching the Microsoft kernel for piracy
    538 under any circumstances. Also, playing on LIVE with a modified console
    539 won't be possible without getting banned, ever. There are already
    540 challenges in place which detect any unauthorized modification. We urge you
    541 to not abuse this hack for piracy.
    545 --------------
    547 The first own code which is executed is a small loader, which operates in
    548 the following way:
    550 - If a character is present on the serial port, it will be read.
    551 - if that character is '@', we will enter serial upload mode.
    552 - if that character is ' ', we will use the backup bootloader
    553 - if not serial upload mode:
    554 - POST 0x10
    555 - read bootloader from flash (either backup or normal)
    556 - POST 0x11
    557 - run
    558 - serial upload mode:
    559 - output '>'
    560 - receive characters
    561 - after 10 consecutive 'x', stop upload
    562 - output '!'
    563 - run
    565 This allows some kind of recovery if you want to update the in-flash
    566 bootloader.
    568 The used addresses are the following:
    569 FLASH_BASE is the location in flash of the backup bootloader,
    570 FLASH_BASE + 0x40000 is the location of the main bootloader,
    571 CODE_BASE is the memory address of the bootloader in ram.
    573 By default, the following memory map is used:
    575 00000000..00100000: SMC, KV, CB, CD, CE, CF, CG, backup bootloader
    576 00100000..00140000: main bootloader
    577 00140000..00f7c000: empty space
    578 00f7c000 : smc config block
    579 00ffc000 : exploit buffer
    581 But this can be tweaked.
    585 CREDITS:
    587 A lot. First, thanks to all of you which have been working on Xbox 360
    588 reverse engineering. Thanks to everybody involved in technical discussions
    589 on
    591 (in order of appearance)
    592 recovery of CB1920 by robinsod,
    593 initial JTAG reverse enginneering by tmbinc,
    594 getting important facts straight by SeventhSon,
    595 first description of how it worked out by Martin_sw,
    596 SMC JTAG code, lots of testing and debugging by Tiros,
    597 jester, for proofreading of this document

    Shadow Complex Unlimited Health & Side Weapon
    ***UPDATE*** Unlimited Side Weapon Tutorial

    Before starting write down your Health Amount, mine is 200.


    Open the save up in HxD, search for 200 in hex (00 C8). After finding "00 C8" in binary i found another location.

    The locations for health are D020 Block:biggrin:023-D023 & F020 Block:F023-F023

    Replace both locations with 999999999 in hex (3B 9A C9 FF).

    Replace D020-D023 with "3B 9A C9 FF"

    Then replace F020-F023 with "3B 9A C9 FF"

    When you go into the game you should get 999.

    When you get hit it doesn't go down, just like if your unstoppable.

    The sad part about this hex, is that u have to re hex the file again after u have saved and shutdown your 360.

    Hopefully this works for ppl. if its unlimited please post.


    Open Shadow Complex Save.

    Locate D020 or search for Health.

    From Block:biggrin:024-D027 type, 03 A1 30 40.

    Locate F020 or search for Health

    From Block:F024-F027 type, 03 A1 30 40.

    From my Completed save these are the Unlimited Codes for All special weapons.
    03 is the Hook so thats always the same, A1 is Rockets, 30 is Foam & 40 is grenades.
    This works for me, i started a new game i only have grenades right now but its unlimited.

    I just relized that i'm level 50 so thats maybe why i have unlimited side ammo. If u want level 50 follow tutorial.

    LEVEL 50

    Write Level Down

    Open Save in HxD

    Search for Level in HEX not decimal

    Locations for Level are D5C0 Block: D5CB-D5CB & F5C0 Block: F5CB-F5CB

    Replace Both Locations with 50 in hex it is "32"

    REHASH, I use Hash Block Calculator

    Not much but what do you expect..Game-tuts suck azz-nuggets
    • Like Like x 63
  2. xbh1h2

    xbh1h2 Getting There

    Awesome! Thanks man. The gamesave site will be great.
  3. C00LAR

    C00LAR Enthusiast

    i dont like game tuts much but wasnt this a bit mean?
  4. OP

    Anubis Information Technician - PCMasterRace

    Added GPI 2.0

  5. SiK GambleR

    SiK GambleR VIP VIP Retired

    lol thanks man, wrong section though, leaks are always welcomed :thumbup:

    shoulda made individual threads for the stuff tho
  6. OP

    Anubis Information Technician - PCMasterRace

    Ehh, easier when all in here so i can just keep adding them...theyll never find out how im in VIP there lol. Fill free to move this to wereever it fits. I didnt know where to put this so i choice here cause its all 360 stuff.
  7. SiK GambleR

    SiK GambleR VIP VIP Retired

    yeah i dont blame u.
    and i dont understand the title.
  8. xbh1h2

    xbh1h2 Getting There

  9. Sixen

    Sixen Enthusiast

  10. Gears Gamer

    Gears Gamer Enthusiast

  11. Sfunx

    Sfunx Enthusiast

    Lol, owned.

    Good post, and I think it's better it's all in one post. Easier to keep track of. Keep up the good (?) work.
  12. sickest

    sickest Enthusiast

  13. Tuxedo

    Tuxedo Getting There

    Wow thanks for all that crap. Ima try to get the GH3 autoplay thing working :smile:
  14. OP

    Anubis Information Technician - PCMasterRace

    Added Xbox 360 Tool Marketplace 1
    • Like Like x 1
  15. A Roadkill Baby

    A Roadkill Baby Enthusiast

  16. OP

    Anubis Information Technician - PCMasterRace

    Added Total control over your xbox 360
  17. I Play Xbox

    I Play Xbox Enthusiast

  18. Modified

    Modified Getting There

    I can't believe I even purchased the GameTuts VIP. It was a waste of money IMO. And this thread should be renamed, just to make it a bit more clear.

    You are a bad lol
  19. OP

    Anubis Information Technician - PCMasterRace

    Changed Title so more people may come.

    edit/ Damn it, it dont change the title outside the thread...well thats stupid
  20. SiK GambleR

    SiK GambleR VIP VIP Retired


Share This Page

Thread Status:
Not open for further replies.